From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt

One definition of 'entrepreneur' is "a person who organizes and manages any enterprise, especially a business, usually with considerable initiative and risk." If Israel were a business, then its founders were entrepreneurs; and there is little wonder that the nation is imbued with an entrepreneurial spirit.

This spirit shapes Israeli business. Peter Rousseau, now with The Hackett Group, wrote last year, "Seventy-six Israeli companies are currently traded on the NASDAQ, behind only the United States and China. Israel exports $1,246 worth of hi-tech goods and services per capita compared to $488 for the U.S. and $295 for the rest of the world."

Nowhere is the entrepreneurial spirit better demonstrated than in the quantity and quality of contemporary cybersecurity firms that have come from Israel -- starting, perhaps, with Check Point. Check Point was founded in 1993 by Gil Shwed, Shlomo Kramer, and Marius Nacht. Shwed and Kramer had served together in the Israeli Defense Force (IDF) Unit 8200. One of Check Point's earliest employees was Nir Zuk, who moved on to become the founder and CTO of Palo Alto Networks. Zuk also served in IDF Unit 8200 -- and Unit 8200 is a pervasive thread that dominates Israeli cybersecurity firms.

Unit 8200 is the signals intelligence (SIGINT) and web intelligence (WEBINT) unit of the Israeli military; and is generally considered among the elite of the world's intelligence agencies. It is not the only technology unit in the IDF; but it is the offensive or proactive unit. All young Israelis do between 32 and 36 months military service from the age of 18. Those with a particular aptitude for SIGINT are literally 'creamed off' into Unit 8200.

Development of Israel's SIGINT

Unit 8200 did not spring from nothing with the formation of Israel in 1948. Jewish intelligence groups had been working in Palestine both with the ruling British administration, and against the British and Arabs -- sometimes simultaneously -- for many years. After 1948, the Israeli military became the IDF and established a military intelligence group codenamed 'Rabbit'. Rabbit was charged with intercepting and decoding Arab communications; a charge born of necessity.

Unit 8200 evolved out of Rabbit. Initially with little budget and low manpower, it was forced to develop its own technology and techniques -- the entrepreneurial spirit of the nation co-existed within its intelligence agency from its very origins.

The modern Unit 8200, however, grew out of the Yom Kippur War in 1973. On that Atonement Day, Israel was simultaneously invaded by Egypt and Syria. Although Israel eventually defeated the invaders it was at heavy cost in both lives and finance. Subsequent analysis showed that a failure in intelligence had left the nation unprepared -- and subsequent Unit 8200 reorganization was designed to prevent this ever happening again. Part of this was the conscious encouragement of 'chutzpah', (or audacity) among its staff.

This is the basis of today's Unit 8200: the cream of youth, highly trained in signals intelligence, encouraged to be audacious in thought and action, and imbued with an entrepreneurial spirit. These young people are then released back into society following their required national service in their early twenties. This is a situation unique in the world.

When talented youth join the NSA or FBI or GCHQ or any other national intelligence agency, they are expected to do so for life, not just for three years. No other nation has this constant stream of highly trained, audacious and entrepreneurial young people entering the job market every year. What else should the more entrepreneurial alumni do but start their own firms using the skills they have acquired; and what else should others do but work in the R&D departments of these firms?

IDF's cybersecurity training

SecurityWeek spoke to several founders of Israeli cybersecurity firms. All of them served in technology units, and most in Unit 8200. Other military units have their own technology sections; and these also lead to spin offs. Examples could include Yuval Diskin, former director of Shin Bet, who started the cyber-tech company Diskin Advanced Technologies LTD; and Haim Tomer, formerly head of the Mossad's Intelligence Division, who is now a cybersecurity consultant. Despite such examples, however, it is the alumni of 8200 that dominate the new start-ups.

Understanding why Israel produces so many cybersecurity firms starts with understanding the converyor belt of talent that 8200 produces. Lior Div (CEO), Yossi Nar (CVO), and Yonatan Striem-Amit (CTO) are the three ex-8200 co-founders of Cybereason. "It starts," explains Liv, "with how people are selected to get into 8200. The Unit interviews all new draftees, using a series of tests looking at background, math proficiency, programming capabilities and pure intelligence. 8200 gets 'first pick'."

Just two military units get the lion's share of the best of the best: pilots for the air force, and 8200 for cyber warriors. Draftees serve anything from three to five years. During this period, special talent is fast-tracked. "By the time I was 19, I already had 10 developers reporting to me," said Div.

But it is fast-tracking in a unique environment. In commercial terms, the 'projects' are now well-funded and manned. "You are taught one thing in particular," he continued: "there is no such thing as impossible -- there is no notion of what you can and cannot do. You are given a problem, you work like crazy and eventually you solve the problem. So by the time you are released, around age 22 or 23, you are trained to solve cybersecurity problems."

This training is unique. Having chosen its new intake, said Div, "the military undertakes intensive training. After six months, 'trainees' have learned what a traditional university would take four years to teach -- and they have learned the practice of their subject and not just the underlying theory. By the time they leave, they are trained and confident cybersecurity warriors with new ideas."

This is confirmed by Boris Vaynberg, co-founder and CEO of Solebit. He and his two co-founders, along with 95% of his R&D staff, are all IDF technology unit alumni. He points out that in order to stay one step ahead of Israel's adversaries, Unit 8200 must take advantage of all known and unknown vulnerabilities in order to get into target networks. In essence, 8200 members get constant on-the-job red team training; and by the time draftees leave the military, they have a thorough understanding -- through use -- of the techniques used by hackers.

Eddy Bobritsky, CEO and co-founder of Minerva Labs, did not serve in Unit 8200. "Neither I nor my 2 co-founders served with 8200," he said, "We served in the unit that builds defensive solutions for the IDF. IDF doesn't want to rely on off-the-shelf products only -- it's important to develop your own products, so nobody will know how they work. We were focused on developing scalable products for cybersecurity and IT." It's worth noting that the IDF is, in these terms, the largest company in Israel. Building security defenses suitable for the entire IDF and Israel government is equivalent to building a security product that will scale to the largest commercial organizations.

But it's not just the practical expertise of service that benefits budding entrepreneurs -- it is the whole culture. We've seen that 'nothing is impossible' and chutzpah is encouraged; but there is also a completely different 'product' development culture. "Inside the IDF," explained Bobritsky, "the motivation for developing new security is to save human life. It's not about financial profit. All I had to do was show that a vulnerability existed and that someone could be hurt if there was a compromise, and I would get the budget to execute the project and build a defense."

It's not the same in the commercial world. "Later, when I worked in a bank which was driven by money," he continued, "I needed to show that any investment in cybersecurity would not hurt income but actually increase income. Its a very different approach. For example, if you fail in the IDF, you don't get fired -- you're still in the army. The army is always encouraging you to try and not accept defeat in any project; so it encourages innovation." While serving in the IDF, Bobritsky was involved in the development of between 20 and 30 different cybersecurity solutions for the entire IDF and government.

"So the environment is to try and try again until you succeed. In the real world, if you fail you will sometimes lose your job; and if you've already lost one job through not succeeding, you're always a bit afraid to try a different approach to things wherever you go.

A second difference with the outside world is the extent of 'networking' within Israel's technology world. Although there are different technology units with different priorities, there is constant intercommunication between them. Everybody knows everybody, commented Amit Rahav, VP of business development at Secret Double Octopus, "with veterans of the Israeli intelligence units seeking to hire these young guys righty away, appreciating the pre-selection, training and experience of the units they themselves came out of. This is to some extent similar to what happens at Ivy league MBA programs in the US."

From new idea to new company

From here there is a well-trod path. Turning what has been learned into a new company requires funding. Early-stage venture capital is available in Israel for good ideas. Not all ideas are good; but Israeli investors have become savvy in technology. Nobody wanted to say that there is smart money and dumb money, but it was a common acknowledgment that Israeli money is smart. Good ideas get funded and dumb ideas never get off the ground.

"Israeli venture capital is available, but it is hard to get and getting harder," explained Solebit's Vaynberg. "Any new idea has to be disruptive and unique with a strong team behind it. It's easier to get VC outside of Israel," he continued, "because the Israeli VC firms have become very cybersecurity savvy, and there are so many approaches for what is already an overcrowded market."

At the same time, of course, the cost of getting a product presentation team together and flown to the U.S. to present to a U.S. venture capital firm is exorbitant for what is, at this stage, likely to be not much more than proof of concept on a new idea. Seed funding tends to come from Israel itself.

What this generally means is that when a new cybersecurity firm is ready to expand outside of Israel, it is already a fair bet. That expansion usually means a move to the U.S. rather than the UK or Europe. For this there are three motivations -- all of which SecurityWeek has already heard in different contexts . Firstly there is far more venture capital available in the US than elsewhere. It's just beginning in Europe: there's some in Berlin, but little in London.

Secondly, despite the European Union, there are at least six different cultures and different languages to understand within the member nations, as opposed to, basically, just one American culture and language. Thirdly, and perhaps most importantly, new technology early-adopters are more prevalent in America -- and especially on the West Coast -- than anywhere else.

The real decision is not America or Europe, but West Coast or East Coast. While the majority might be attracted to the entrepreneurial attitude of the West Coast, others are attracted by the big financial customers of the East Coast. Boston-based CyberArk is one. "We figured the biggest adoption for security would first come financial services firms, and that very much lent itself to the East Coast," commented CEO Udi Mokady, another 8200 alumni.

The path from concept to company is illustrated by Solebit itself. "Solebit was established 3 years ago," said Vaynberg. "R&D is based in Israel. Our headquarters, however, is currently relocating to the Bay Area. We raised our seed funding from an Israeli venture capital firm [$2 million from Glilot Capital Partners in 2015], and Round A funding from a U.S. venture capital firm." The Round A funding is so new that, although it has closed, it is yet to be announced.

Lessons from the Israeli cybersecurity model

The sad truth is that the IDF situation in Israel is unique, and could not be copied anywhere else in the world. It provides a constant source of technological competence trained to be audacious, persistent and positive. Other SIGINT organizations around the world do not release their staff on to the job market, preferring to keep them. Retired NSA, CIA and FBI staff tend to join the boards of existing large corporations; they do not tend to start new companies. In the UK, retired GCHQ and Ministry of Defence (MoD) officers might become private consultants, offering experience and expertise -- but rarely new ideas.

One idea alone could translate to other countries. The IDF, the largest company in Israel, funds the university fees for promising students, requiring only that they work for the IDF for a period after graduation. Large western organizations could do similar, finding and nurturing young talent. The idea of serious cybersecurity talent emerging with a sought-after degree and no student debt should be alluring to all sides.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.